Analysis: 2020 Health Data Breach TrendsRansomware, Phishing Incidents, Vendor Hacks Prevail
Hacking incidents, including ransomware and phishing attacks, as well as security incidents involving vendors dominated the federal tally of major health data breaches in 2020.
A snapshot on Monday of the Department of Health and Human Service’s HIPAA Breach Reporting Tool website shows some 619 major breaches were reported and added to the tally in 2020, affecting nearly 28.8 million individuals.
Of those, 415 - or more than two-thirds - were reported as hacking incidents. Those affected a total of 26.4 million individuals, or more than 90% of those affected by major health data breaches reported in and added to the tally in 2020.
Some 246 incidents – or about 40% - were reported as involving a business associate. Those breaches affected nearly 19 million individuals.
Also commonly called the “wall of shame,” the HHS website lists reported health data breaches affecting 500 or more individuals.
More 2020 breaches will undoubtedly be added to the HHS website in the weeks ahead as more affected entities detect, assess and report breaches of protected health information occurring in 2020 and federal regulators review and confirm details of those breach report filings.
After hacking incidents, the next most commonly reported type of breach involved unauthorized access/disclosure. There were about 134 such incidents in 2020 affecting more than 774,000 individuals.
Another 28 breaches involved lost or stolen unencrypted computing devices, and those affected more than 815,000 individuals. The largest of those incidents – reported last February by Medicaid care coordination organization Health Share of Oregon - affected more than 654,000.
Since the tally began in September 2009, some 3,685 major health data breaches affecting a total of about 267.6 million individuals have been listed.
Biggest Health Data Breaches in 2020
|Breached Entity||Individuals Affected|
|*Trinity Health||3.3 Million|
|MEDNAX Services||1.3 Million|
|*Inova Health System||1.05 Million|
|Magellan Health Inc.||1.01 Million|
|Dental Care Alliance||1 Million|
|Luxottica of America||830,000|
|*Northern Light Health||657,000|
|Health Share of Oregon||654,000|
|Florida Orthopaedic Institute||640,000|
|Elkhart Emergency Physicians||550,000|
Among breaches added to the tally in recent weeks was a phishing incident reported on Dec. 16 by Fort Lauderdale, Florida-based MEDNAX Services Inc., a vendor of revenue cycle management and other administrative services to physician practices.
That incident, which affected 1.3 million individuals, involved a third party who gained access to a Microsoft Office 365-hosted MEDNAX business email account through a phishing scheme, the company says in a breach notification statement.
The MEDNAX breach is among several large business associate incidents that topped the federal tally in 2020. Another is a hacking incident affecting more than 1 million individuals reported on Dec. 8 by Sarasota, Florida-based Dental Care Alliance. DCA provides support services to hundreds of dental practices in 20 states.
Also in December, health plan Aetna ACE reported a hacking incident affecting more than 484,000 individuals that involved a business associate, EyeMed Vision Care, a Cincinnati, Ohio-based vision benefits company. The EyeMed email hacking incident also affected a number of other covered entities, including Tufts Health Plan, which reported a breach to HHS in November affecting nearly 61,000 individuals.
The vendor at the center of many large health data breaches reported to HHS in 2020 was Blackbaud, a cloud-based fundraising software provider to at least 250 U.S.-based organizations that was hit by ransomware.
The HHS website indicates that Blackbaud-related healthcare sector breaches have affected at least 11 million individuals. That includes the breach topping the federal tally so far in 2020, which was reported by Michigan-based Trinity Health in September and affected 3.3 million individuals.
In addition to the hacking incident involving Blackbaud, an April ransomware attack on Scottsdale, Arizona-based managed health company Magellan Health affected at least a half-dozen entities.
Among the most recently added ransomware attacks on the tally is a July breach at Scottsdale, Arizona-based pharmacy GenRx Pharmacy affecting more than 137,000 individuals.
As the recent SolarWinds supply chain breach and the Blackbaud incident clearly illustrate, a vendor breach can affect many organizations, says Jim Van Dyke, CEO and founder of security firm Breach Clarity.
“The ultimate cost of a breach is significantly determined by what PII or PHI was exposed, which most pundits appear to not even realize,” he says.
For instance, he points out, “the 2015 massive Anthem data breach, which impacted nearly 80 million individuals, primarily raised risk of new financial credit account and IRS refund fraud because of the particular eight ID credentials that were exposed. The risk of medical ID theft was actually low for affected consumer victims, yet the company had a massive $115 million legal settlement because hackers were able to access the kinds of data most valuable in very costly ID crimes.”
When setting security procedures, organizations must “consider the use case of any potential exposed data,” Van Dyke urges.